Expert Reference Series
of White Papers
Understanding NIST’s Cloud Computing
Reference Architecture: Part II
Understanding NIST’s Cloud
Computing Reference Architecture:
Part II
Vince Lo Faso, Global Knowledge Instructor, Cloud Essentials Professional,
ITIL
®Expert
Introduction
In 2010 the Federal CIO, Vivek Kundra, laid out a bold strategy for US federal agencies to adopt a cloud-first policy.1 A cloud-first strategy encourages federal agencies to evaluate current delivery of IT services and assess if
all, or a part of, such IT services can be deployed through a cloud-computing model. To support this initiative, the National Institute of Standards and Technology (NIST) was mandated to provide the technical leadership and the development of standards for the adoption and implementation of cloud computing for federal agencies. One of the key documents produced by the NIST workgroups is the Cloud Computing Reference Architecture.2 The
Reference Architecture provides a vendor-neutral cloud framework that serves as a reference model for discussion and clarification of cloud principles and operations. Understanding this reference model helps all cloud
participants to better understand the scope of their roles and responsibilities.
This white paper examines the NIST Cloud Computing Reference Architecture in a two-part series. The first part covers the cloud players and their roles and responsibilities. The second part,
which is the subject of this white
paper, focuses on the Reference Architecture components, activities, and functions. Together these
white papers explain the NIST Reference Architecture in greater detail so all stakeholders can better
discuss the requirements, standards, and operation of cloud-computing environments.
Overview of Reference Architecture Model
The NIST Reference Architecture model (see figure 1) defines five key cloud players: cloud consumer, cloud provider, cloud carrier, cloud broker, and cloud auditor. Each cloud player (called "actors" by NIST) can be an individual or an organization that "participates in a transaction or process and/or performs tasks in cloud computing."3
Figure 1: NIST Cloud Reference Architecture4
Three cloud players have explicit processes and activities that they need to perform in order to ensure successful cloud service delivery. The activities related to the cloud provider as well as cloud broker and cloud auditor activities are later in this white paper.
Cloud Provider Function—Service Orchestration
Through Service Orchestration, a cloud provider operates the underlying cloud-service infrastructure that supports its customers. NIST defined service orchestration as “the composition of system components to support the Cloud Providers activities in arrangement, coordination and management of computing resources in order to provide cloud services to Cloud Consumers.”5 These activities are broken out into three areas and are discussed below.
Service Layer
The Service Layer is where the cloud provider defines the interface between the cloud consumer and the cloud services of the cloud provider. The interface points are grouped according to the three service models (SaaS, PaaS, and IaaS). A cloud provider may define interface points in all three service models or just a subset.
cases a provider may implement a high-level service model (i.e., SaaS) by using the interface points defined in the lower layers. For example, SaaS may be built by using components from the PaaS layer, and run operationally by using resource components from the IaaS layer (i.e. virtual servers, cloud storage, virtual firewalls, etc.). A real-world example of this is Google's cloud offerings. They offer a variety of SaaS products (Gmail, Google Search, Google Maps, Google Apps, etc.) by using PaaS components (Google App Engine) and are run operationally on Google's cloud IaaS (Google Cloud Platform).
In figure 2, the “angling” of the service models represents when a cloud provider chooses to provide a service layer without the support of the lower-layer interface points. For example, salesforace.com provides both SaaS and PaaS products. The SaaS layer is built by using the well-defined interface components from the PaaS. However, in this case, there is no IaaS layer offered. They run SaaS directly on the resource abstraction layer (hypervisor/virtual storage) with no explicit IaaS components.
Resource Abstraction and Control Layer
This layer consists of two distinct but related areas: resource abstraction and control layer. The Resource Abstraction Layer primarily deals with virtualization. The Virtualization Essentials course defines the concept of virtualization as "a set of techniques for hiding hardware resources behind software abstractions to simplify the way other software or end users interact with those resources." This definition highlights the fact that the abstraction layer “transforms” the hardware resources into software objects, which make it is easier to manipulate. The manipulation of the software-abstracted resources enables greater functionality and easier configuration. This is what enables the cloud elasticity and automation. The hypervisor and storage area networks (SAN) are two examples of this concept.
The Control Layer provides the resources management capabilities that allow dynamic resource allocation, scaling, dynamic reconfiguration, and dynamic access control. Commercial products such as vCloud from VMware, and open source projects such as OpenStack are prime examples.
Physical Resource Layer
The Physical Resource Layer covers all of the traditional hardware resources that underpin the IT infrastructure. This layer consists of physical servers (CPU, memory, bus architecture), disks and storage arrays, network wiring, switches, and routers. This layer also covers the physical data center facility components such as heating, ventilation, air conditioning (HVAC), electrical power, backup generators, and fuel; physical control of data centers by IT staff and contractors; and cabling to outside cloud carriers, phone communication, etc.
Cloud Provider Function—Cloud Service Management
Cloud Service Management is a set of processes and activities a cloud provider must perform in order to
satisfactorily deliver cloud service to consumers. These apply equally to a public cloud provider and a private cloud provider. NIST groups these processes and activities into three board areas: Business Support, Provisioning and Configuration, and Portability and Interoperability. See figure 2.
Figure 3: NIST - Cloud Service Management7
Business Support
The Business Support processes are business-oriented and focus on the business operations of a cloud provider as they relate to the delivery of cloud services to cloud consumers. There are six key functions.
Customer Management:
This area covers the activities necessary to manage and maintain the relationship with the cloud consumer. It deals with items such as customer accounts, complaints and issues, customer contact information, history of customer interactions, etc. In a traditional customer-vendor relationship these functions would be performed by a sales team. In a cloud environment, this activity is driven primarily by the customer. As per NIST's cloud definition, these traditional interactions through a sales representative should be minimal or nonexistent. All or most business contact should be conducted via a self-service portal, putting as much control as possible into the hands of the consumer.
Contract Management:
This process focuses on the management of contracts between the cloud provider and consumer. This is implemented via Service Level Agreements (SLAs). Consumers generally pick the level of SLA that meets their requirements and budget.
This function monitors, tracks, and logs activities performed by the consumer, usually through the management console. This helps to document what cloud resources the consumer requests, who requested it, and when.
Pricing and Rating:
This process establishes the price points and tiering for the cloud services of the cloud provider. It ensures that the cloud provider is competitive by monitoring the competition's pricing and making adjustments as required. The cloud provider usually offers discounts or credits to the consumer based on volume usage.
Provisioning and Configuration
The Provisioning and Configuration area deals with process activities that the cloud provider must execute as part of its internal operations. The more mature the provider's capabilities are in this area, the more effective and efficient the provider's deliver of cloud service will be.
Rapid Provisioning:
A cloud provider must be able to quickly respond to varying workload demands. This includes scaling up as well as scaling down. This must be fully automated and requires a scriptable, virtualized infrastructure.
Resource Changing:
To support rapid elasticity, the provider must implement changes to its underlying resources effectively and speedily, primarily through automation. These changes include replacing broken components, upgrading components, adding greater capacity, and reconfiguring existing components.
Monitoring and Reporting:
Ongoing monitoring of the provider's operations and cloud infrastructure is critical to ensure effective and optimal quality of service. The handling and resolution of events and incidents is ongoing 24 x 7 x 365. SLA Management:
The cloud provider must ensure that it is meeting its contractual obligations to its customers. Ongoing management of SLA targets and operational level targets are performed to maintain a high quality of service.
Portability and Interoperability
In order for cloud providers to attract customers, they must make it as easy as possible to migrate existing data or software to the cloud. In addition to alleviating customers' concerns about vendor lock-in, cloud providers must provide a mechanism that permits cloud consumers to move easily from one cloud provider's environment to another, or to migrate cloud services across several cloud providers to deploy a complex cloud solution. Cloud consumers will not engage with cloud providers that build their cloud platform on closed, proprietary,
nonstandard conforming technologies and standards. Cloud consumers need to have a viable exit strategy and are more willing to engage with a cloud provider that makes it easier to execute an exit strategy. Therefore it is advantageous for cloud providers to offer maximum interoperability and portability.
Data Portability:
A cloud provider must provide a mechanism to move large amounts of data into and out of the provider's cloud environment. For example, in a SaaS environment, the cloud consumer must be able to upload, in bulk, existing HR records into a HR SaaS application. The consumer must also be able to export in bulk from the HR SaaS application back to their own data center. Failure to provide easy and reliable transfer mechanisms will discourage the adoption of cloud services.
Service Interoperability:
When a cloud provider adheres to well-known and accepted technology standards, it is easier for consumers to develop and deploy cloud solutions that span across more than one cloud provider's environment. For a cloud consumer, service interoperability delivers greater disaster recovery resiliency by removing a single point of failure (i.e. the cloud provider) and greater resource capacity by spreading the workload across several providers' IaaS resources.
System Portability:
This capability enables a consumer to move or migrate infrastructure resources, like virtual machines and applications, easily from one cloud provider to another. As in data portability, this enables a smoother exit strategy that protects a consumer from an unexpected, long-term disruption of a cloud provider's services.
Cloud Provider Function—Security
In Part I of this two-part white paper series, we introduced the concept of Shared Security Model and the impact to both the cloud consumer and cloud provider. In this section we focus on only the cloud provider's perspective. The traditional confidentiality-integrity-availability (CIA) areas of security still need to be addressed in each of the three service layers (IaaS, PaaS, SaaS). For example, an IaaS provider needs to ensure that the hypervisor is secure and well-configured. In a multi-tenant hypervisor environment, the provider must ensure that one virtual machine cannot be hacked to acquire permission to another tenant's virtual machine.
Other areas that a cloud provider must demonstrate and exercise mature capabilities include:
Authentication: Provide a multi-factor authentication by augmenting username/password credentials with a
hardware or software RSA token.
Identity management: Provide an effective identify management solution to manage the consumer usernames
and/or integrate to an in-house system such as Microsoft Active Directory.
Security monitoring: Provider must have a strong Intrusion Detection System (IDS)/Intrusion Prevention System
(IPS) tools to track and identify any potential security issue.
Incident response: A well-structured security process to deal with breaches with strong communication channels
is necessary to minimize the impact of any security incident.
Cloud Provider Function—Privacy
A cloud provider must ensure that consumer data stored in the cloud environment is protected and private to the consumer. If the cloud provider collects data about the consumer, or the consumer's activities and behavior patterns, then they must ensure that the collected data is fully protected and remains private, and cannot be accessed by anyone other than the consumer.
Cloud Broker Functions
A cloud broker is an optional cloud player in the delivery of cloud services. NIST defines a cloud broker as an entity that acts as an intermediary between the consumer and provider. A cloud broker is involved in a cloud service delivery when a consumer chooses not to directly manage or operate the usage of a cloud service. A cloud broker can function in one or more of the following scenarios.
Service Intermediation
Service Intermediation is when a broker performs value-add service on behalf of the consumer. For example, in figure 4, the cloud broker performs some administrative or management function on behalf of the consumer for a particular cloud service. This value-add service may include activities such as invoice management, invoice and usage reconciliation, and end-user account management, etc.
Figure 4 - Cloud Broker Service Intermediation
Service Aggregation
Service Aggregation is when a broker integrates two or more cloud services to provide a complex cloud solution to the consumer. Figure 5 illustrates a cloud service that is composed of three different cloud provider's services.
Figure 5: Cloud Broker Service Aggregation
Figure 6 illustrates a more complex cloud solution composed from several cloud services, each one delivered through a unique cloud provider.
Service Arbitrage
Service Arbitrage is when a broker dynamically selects the best cloud service provider in real time. Figure 7 illustrates a broker checking for the best cloud service, for example online storage, from three cloud providers.
Figure 7: Cloud Broker Service Arbitrage
Cloud Auditor Functions
A cloud auditor is an optional cloud provider in the delivery of cloud services. They provide an independent evaluation of a cloud provider's capabilities in terms of security, SLA performance, or adherence to industry standards. A cloud auditor is usually requested by a cloud consumer to evaluate a cloud provider. In some cases, a cloud provider uses a cloud auditor to publically demonstrate their adherence to industry standards, such as SOX compliance, HIPPA, and PCI. Depending on the business industry and regulatory environment, a cloud consumer must have audited compliance records before they can utilize a cloud service.
Security Audit
In a security audit, a cloud auditor evaluates whether there are sufficient security controls in place and whether the cloud provider demonstrates adherence to best practice security processes. For example, a cloud auditor may validate whether or not a cloud provider is compliant to security standard ISO 27001.
Privacy Impact Audit
A privacy audit by a cloud auditor can provide assurance that personal information (PI) and personally identifiable information (PII) are protected by a cloud provider.
Performance Audit
Bibliography
1. Federal Cloud Computing Strategy, OMB, February 8, 2011 2. NIST Special Publication 500-292
3. NIST Special Publication 500-292 4. NIST Special Publication 500-292 5. NIST Special Publication 500-292 6. NIST Special Publication 500-292 7. NIST Special Publication 500-292
8.
http://en.wikipedia.org/wiki/Data_Protection_Directive
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge through training.
Cloud Essentials
Cloud and Virtualization Essentials Cloud: Roadmap to Success
Cloud Challenge Business Simulation
Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor.
About the Author
Vince Lo Faso is the Managing Director of Cloud Service Management at Navigo Technologies, LLC. He is an IT Service and Cloud Management professional with more than 24 years of IT industry experience. He is ITIL® V3
Expert certified; Cloud Essentials™ Professional (CEP) certified; and AWS Partner Business and Technical
Professional accredited. Vince holds a master’s degree in computer science and has spoken as conferences such as VMworld User Conference, HP Universe, and local user groups. In addition to having worked as a consultant and practice manager for several HP VARs, Vince Lo Faso has held IT positions with Kraft Canada, Sprint Paranet, and Concordia University.
